Suggest to change template to interface if appropriate

[cgzones]

If a template does not define anything (type, attribute, ...) and does not call a template, suggest to change to an interface.

Find https://github.com/SELinuxProject/refpolicy/commit/bf6cc10e167ee744fdf7012cf635ef6a37c50176

[dburgener]

I had thought we already had this, but it looks like we only have the other way around (S-004 and S-005 show definitions or template calls in interfaces).

One thing to consider here is this: https://github.com/SELinuxProject/refpolicy/blob/0c5a622fea7ebe660465da6296460b7e7b1a9d08/policy/modules/services/xserver.if#L310

This is a template rather than an interface because it uses a prefix, but it doesn't declare any types. Refpolicy does selint-disable:S-004 in an interface that calls it to accomodate.

I believe I spoke to @pebenito about this back when we were implementing selint in refpolicy and my recollection is that he said that in his view the definition of template was the use of prefixes rather than types, attributes etc in arguments. It might be preferable if we do a check as you suggest to implement it based on the prefix definition rather than the declaration definition.

[pebenito]

The main differences between interfaces and templates is interfaces cannot:

• declare anything (no side effects)
• use prefixes.

[cgzones]

With this classification, was the commit https://github.com/SELinuxProject/refpolicy/commit/bf6cc10e167ee744fdf7012cf635ef6a37c50176 correct, cause systemd_user_daemon_domain() takes a prefix as first argument?

[pebenito]

You're correct, I missed that. I reverted the change.